1379784 – (CVE-2016-7797) CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack

Bug 1379784 (CVE-2016-7797) - CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack

Summary: CVE-2016-7797 pacemaker: pacemaker remote nodes vulnerable to hijacking, resu...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-7797
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1312094 1389439 1389440
Blocks:	1379785
TreeView+	depends on / blocked

Reported:	2016-09-27 16:20 UTC by Adam Mariš
Modified:	2021-02-17 03:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unauthenticated connection. A remote attacker could use this flaw to cause a denial of service.
Clone Of:
Environment:
Last Closed:	2016-11-04 08:19:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Cluster Labs	5269	0	None	None	None	2016-10-03 09:11:00 UTC
Red Hat Product Errata	RHSA-2016:2578	0	normal	SHIPPED_LIVE	Moderate: pacemaker security, bug fix, and enhancement update	2016-11-03 12:07:24 UTC

Description Adam Mariš 2016-09-27 16:20:29 UTC

If a corosync node is connected to a pacemaker_remote node, the
connection can be trivially killed simply by connecting to the remote on its
standard TCP port (typically 3121):

2016-02-18T18:06:45.258661+00:00 d52-54-77-77-77-01 crmd[2637]:    error:
Unexpected pacemaker_remote client takeover. Disconnecting

Takeover is allowed in order to support migration of the remote primitive from
one corosync node to another, but since this is a trivial denial of service
attack, it should only be allowed once a valid authkey is provided.

=> Upstream bug :
 - Bug 5269 - DoS: valid authkey should be required for takeover of a Pacemaker remote
http://bugs.clusterlabs.org/show_bug.cgi?id=5269

=> Upstream fix :
 - Fix: remote: cl#5269 - Notify other clients of a new connection only if the handshake has completed (bsc#967388)
https://github.com/ClusterLabs/pacemaker/commit/5ec24a26

Resolved in upstream pacemaker 1.1.15

Comment 3 Cedric Buissart 2016-10-03 09:29:41 UTC

=> Fedora is not affected since fedora 23 and 24 are using pacemaker-1.1.15.

=> Resolved in RHEL6.8, pacemaker-1.1.14-8.el6, via the following bugzilla :
 - Bug 1312092 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312092

Corresponding errata : https://rhn.redhat.com/errata/RHBA-2016-0856.html

=> Planned resolution in RHEL7 via the following bugzilla :
 - Bug 1312094 - crmd can crash after unexpected remote connection takeover
https://bugzilla.redhat.com/show_bug.cgi?id=1312094

Comment 5 Cedric Buissart 2016-10-27 09:09:22 UTC

Acknowledgments:

Name: Alain Moulle (ATOS/BULL)

Comment 6 errata-xmlrpc 2016-11-03 19:00:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2578 https://rhn.redhat.com/errata/RHSA-2016-2578.html

Note You need to log in before you can comment on or make changes to this bug.